connectivity/source/drivers/evoab2/NStatement.cxx | 3 --
editeng/source/editeng/editobj.cxx | 30 +++++++++++++++++-----
filter/source/msfilter/msdffimp.cxx | 15 ++++++++---
filter/source/msfilter/svdfppt.cxx | 5 ++-
sc/source/filter/starcalc/scflt.cxx | 2 -
sd/source/filter/eppt/eppt.cxx | 4 +-
svtools/source/dialogs/roadmapwizard.cxx | 10 +++++--
sw/source/filter/ww8/ww8scan.cxx | 17 ++++++++----
tools/source/generic/poly.cxx | 14 +++++-----
vcl/generic/fontmanager/fontmanager.cxx | 2 -
vcl/source/filter/wmf/winwmf.cxx | 13 +++++++++
vcl/source/gdi/cvtsvm.cxx | 14 ++++++++--
12 files changed, 95 insertions(+), 34 deletions(-)
New commits:
commit c8bd2518dda4593681626c4780f492995dff66e3
Author: Caolán McNamara <caol...@redhat.com>
Date: Mon Feb 2 10:38:27 2015 +0000
coverity#1266492 Untrusted value as argument
Change-Id: Idbe205df445b29e7a121e93dbd74b2578199699b
diff --git a/filter/source/msfilter/svdfppt.cxx
b/filter/source/msfilter/svdfppt.cxx
index fab6c67..73b1a09 100644
--- a/filter/source/msfilter/svdfppt.cxx
+++ b/filter/source/msfilter/svdfppt.cxx
@@ -5286,7 +5286,10 @@ void PPTStyleTextPropReader::Init( SvStream& rIn,
SdrPowerPointImport& rMan, con
sal_uInt32 nMaxStrLen = aString.getLength();
if (nCharAnzRead + nStrLen > nMaxStrLen)
nStrLen = nMaxStrLen - nCharAnzRead;
- aCharPropSet.maString = aString.copy(nCharAnzRead,
nStrLen);
+ if (nCharAnzRead >
static_cast<sal_uInt32>(aString.getLength()))
+ aCharPropSet.maString = OUString();
+ else
+ aCharPropSet.maString = aString.copy(nCharAnzRead,
nStrLen);
aCharPropList.push_back( new PPTCharPropSet( aCharPropSet,
nCurrentPara ) );
nCharAnzRead += nCharCount;
bEmptyParaPossible = false;
commit f58b66968ddeb4237ec5a5e406c46866d3400c9e
Author: Caolán McNamara <caol...@redhat.com>
Date: Mon Feb 2 10:34:45 2015 +0000
coverity#1244944 Untrusted value as argument
Change-Id: If50a20e9fbb0bf55488b3ccc8ea28f2a54aa62e0
diff --git a/vcl/source/gdi/cvtsvm.cxx b/vcl/source/gdi/cvtsvm.cxx
index 7ba28e5..2f4b17a 100644
--- a/vcl/source/gdi/cvtsvm.cxx
+++ b/vcl/source/gdi/cvtsvm.cxx
@@ -413,10 +413,20 @@ void ImplReadExtendedPolyPolygonAction(SvStream& rIStm,
tools::PolyPolygon& rPol
for(sal_uInt16 a(0); a < nPolygonCount; a++)
{
sal_uInt16 nPointCount(0);
- rIStm.ReadUInt16( nPointCount );
+ rIStm.ReadUInt16(nPointCount);
+
+ const size_t nMinPolygonSize = sizeof(sal_Int32) * 2;
+ const size_t nMaxPolygons = rIStm.remainingSize() / nMinPolygonSize;
+ if (nPointCount > nMaxPolygons)
+ {
+ SAL_WARN("vcl.gdi", "Parsing error: " << nMaxPolygons <<
+ " max possible entries, but " << nPointCount << "
claimed, truncating");
+ nPointCount = nMaxPolygons;
+ }
+
Polygon aCandidate(nPointCount);
- if(nPointCount)
+ if (nPointCount)
{
for(sal_uInt16 b(0); b < nPointCount; b++)
{
commit 1caa8a72a63b35728abbbe006c3f18dc50d1b7cd
Author: Caolán McNamara <caol...@redhat.com>
Date: Mon Feb 2 10:27:03 2015 +0000
coverity#1242895 Untrusted loop bound
Change-Id: I2d38746e8ed23a5fb51ee94a72b5676bae3c8710
diff --git a/sc/source/filter/starcalc/scflt.cxx
b/sc/source/filter/starcalc/scflt.cxx
index 19ee464..92802a1 100644
--- a/sc/source/filter/starcalc/scflt.cxx
+++ b/sc/source/filter/starcalc/scflt.cxx
@@ -1545,7 +1545,7 @@ void Sc10Import::LoadTables()
bool bPageBreak = ((DataValue & crfSoftBreak) ==
crfSoftBreak);
bool bManualBreak = ((DataValue & crfHardBreak) ==
crfHardBreak);
bool bHidden = ((DataValue & crfHidden) == crfHidden);
- for (SCROW l = static_cast<SCROW>(DataStart); l <=
static_cast<SCROW>(DataEnd); l++)
+ for (SCROW l = SanitizeRow(static_cast<SCROW>(DataStart)); l
<= SanitizeRow(static_cast<SCROW>(DataEnd)); ++l)
{
pDoc->SetRowHidden(l, l, static_cast<SCTAB> (TabNo),
bHidden);
pDoc->SetRowBreak(l, static_cast<SCTAB> (TabNo),
bPageBreak, bManualBreak);
commit abc11a4c0cdec0ed2d23a76ffece9840637dcc87
Author: Caolán McNamara <caol...@redhat.com>
Date: Mon Feb 2 10:19:55 2015 +0000
coverity#1242704 Untrusted loop bound
Change-Id: I88c8ff03361aa83b23c811b5d693864360f31f7f
diff --git a/vcl/source/filter/wmf/winwmf.cxx b/vcl/source/filter/wmf/winwmf.cxx
index 3c8ed8b..61cba73 100644
--- a/vcl/source/filter/wmf/winwmf.cxx
+++ b/vcl/source/filter/wmf/winwmf.cxx
@@ -371,6 +371,12 @@ void WMFReader::ReadRecordParams( sal_uInt16 nFunc )
pWMF->ReadUInt16( nPolyCount );
if (nPolyCount && pWMF->good())
{
+ if (nPolyCount > pWMF->remainingSize() / sizeof(sal_uInt16))
+ {
+ bRecordOk = false;
+ break;
+ }
+
// Number of points of each polygon. Determine total number of
points
boost::scoped_array<sal_uInt16> xPolygonPointCounts(new
sal_uInt16[nPolyCount]);
sal_uInt16* pnPoints = xPolygonPointCounts.get();
@@ -403,6 +409,13 @@ void WMFReader::ReadRecordParams( sal_uInt16 nFunc )
for (sal_uInt16 a = 0; a < nPolyCount && pWMF->good(); ++a)
{
const sal_uInt16 nPointCount(pnPoints[a]);
+
+ if (nPointCount > pWMF->remainingSize() / (2 *
sizeof(sal_uInt16)))
+ {
+ bRecordOk = false;
+ break;
+ }
+
boost::scoped_array<Point> xPolygonPoints(new
Point[nPointCount]);
Point* pPtAry = xPolygonPoints.get();
commit b6420535b0bbbaf6db97c2cc1cedd15150d24258
Author: Caolán McNamara <caol...@redhat.com>
Date: Mon Feb 2 10:17:54 2015 +0000
coverity#1242653 Untrusted loop bound
Change-Id: Ic5f9837531bc95526bb29b4e248e413754f630be
diff --git a/sw/source/filter/ww8/ww8scan.cxx b/sw/source/filter/ww8/ww8scan.cxx
index 9cbf0d6..d07d9ee 100644
--- a/sw/source/filter/ww8/ww8scan.cxx
+++ b/sw/source/filter/ww8/ww8scan.cxx
@@ -3865,11 +3865,8 @@ void WW8ReadSTTBF(bool bVer8, SvStream& rStrm,
sal_uInt32 nStart, sal_Int32 nLen
rStrm.ReadUInt16( nExtraLen );
- size_t nMinRecordSize = nExtraLen;
- if (bUnicode)
- nMinRecordSize += sizeof(sal_uInt16);
- else
- nMinRecordSize += sizeof(sal_uInt8);
+ const size_t nMinStringLen = bUnicode ? sizeof(sal_uInt16) :
sizeof(sal_uInt8);
+ const size_t nMinRecordSize = nExtraLen + nMinStringLen;
const size_t nMaxPossibleStrings = rStrm.remainingSize() /
nMinRecordSize;
if (nStrings > nMaxPossibleStrings)
{
@@ -3877,6 +3874,16 @@ void WW8ReadSTTBF(bool bVer8, SvStream& rStrm,
sal_uInt32 nStart, sal_Int32 nLen
nStrings = nMaxPossibleStrings;
}
+ if (nExtraLen && nStrings)
+ {
+ const size_t nMaxExtraLen = (rStrm.remainingSize() - (nStrings
* nMinStringLen)) / nStrings;
+ if (nExtraLen > nMaxExtraLen)
+ {
+ SAL_WARN("sw.ww8", "STTBF claims " << nMaxExtraLen << "
extra len, but only " << nMaxExtraLen << "are possible");
+ nExtraLen = nMaxExtraLen;
+ }
+ }
+
for (sal_uInt16 i=0; i < nStrings; ++i)
{
if (bUnicode)
commit 28236bed527b7ceb68d3c8260ea89ee9cddbf3dc
Author: Caolán McNamara <caol...@redhat.com>
Date: Mon Feb 2 10:09:26 2015 +0000
coverity#1242632 Use of untrusted scalar value
Change-Id: I91b8505fdbd4ebc77a76279b8c6476daf422319f
diff --git a/editeng/source/editeng/editobj.cxx
b/editeng/source/editeng/editobj.cxx
index bf316c7..ea20882 100644
--- a/editeng/source/editeng/editobj.cxx
+++ b/editeng/source/editeng/editobj.cxx
@@ -1483,7 +1483,7 @@ void EditTextObjectImpl::CreateData( SvStream& rIStream )
if ( nVersion >= 601 )
{
- bool bTmp;
+ bool bTmp(false);
rIStream.ReadCharAsBool( bTmp );
bVertical = bTmp;
}
@@ -1492,28 +1492,46 @@ void EditTextObjectImpl::CreateData( SvStream& rIStream
)
{
rIStream.ReadUInt16( nScriptType );
- bool bUnicodeStrings;
+ bool bUnicodeStrings(false);
rIStream.ReadCharAsBool( bUnicodeStrings );
if ( bUnicodeStrings )
{
- for ( sal_uInt16 nPara = 0; nPara < nParagraphs; nPara++ )
+ for (sal_uInt16 nPara = 0; nPara < nParagraphs; ++nPara)
{
ContentInfo& rC = aContents[nPara];
- sal_uInt16 nL;
+ sal_uInt16 nL(0);
// Text
- rIStream.ReadUInt16( nL );
- if ( nL )
+ rIStream.ReadUInt16(nL);
+ if (nL)
{
+ size_t nMaxElementsPossible = rIStream.remainingSize() /
sizeof(sal_Unicode);
+ if (nL > nMaxElementsPossible)
+ {
+ SAL_WARN("editeng", "Parsing error: " <<
nMaxElementsPossible <<
+ " max possible entries, but " << nL << "
claimed, truncating");
+ nL = nMaxElementsPossible;
+ }
+
rtl_uString *pStr = rtl_uString_alloc(nL);
rIStream.Read(pStr->buffer, nL*sizeof(sal_Unicode));
rC.SetText((OUString(pStr, SAL_NO_ACQUIRE)));
+
+ nL = 0;
}
// StyleSheetName
rIStream.ReadUInt16( nL );
if ( nL )
{
+ size_t nMaxElementsPossible = rIStream.remainingSize() /
sizeof(sal_Unicode);
+ if (nL > nMaxElementsPossible)
+ {
+ SAL_WARN("editeng", "Parsing error: " <<
nMaxElementsPossible <<
+ " max possible entries, but " << nL << "
claimed, truncating");
+ nL = nMaxElementsPossible;
+ }
+
rtl_uString *pStr = rtl_uString_alloc(nL);
rIStream.Read(pStr->buffer, nL*sizeof(sal_Unicode) );
rC.GetStyle() = OUString(pStr, SAL_NO_ACQUIRE);
commit dcad3ac445980740b6a39761cdd1f1bd0b3e6e34
Author: Caolán McNamara <caol...@redhat.com>
Date: Mon Feb 2 10:05:04 2015 +0000
coverity#1242624 Untrusted loop bound
Change-Id: Idf52c09828c2bab767e9ff0d07b61befd6bfc64b
diff --git a/filter/source/msfilter/msdffimp.cxx
b/filter/source/msfilter/msdffimp.cxx
index 77b6b80..656c93f 100644
--- a/filter/source/msfilter/msdffimp.cxx
+++ b/filter/source/msfilter/msdffimp.cxx
@@ -2153,13 +2153,19 @@ void
DffPropertyReader::ApplyCustomShapeGeometryAttributes( SvStream& rIn, SfxIt
sal_uInt16 nNumElemMemVert = 0;
rIn.ReadUInt16( nNumElemVert ).ReadUInt16( nNumElemMemVert
).ReadUInt16( nElemSizeVert );
}
- if ( nNumElemVert )
+ bool bImport = false;
+ if (nElemSizeVert == 8 || nElemSizeVert == 4)
+ {
+ //sanity check that the stream is long enough to fulfill
nNumElem * nElemSize;
+ bImport = rIn.remainingSize() / nElemSizeVert >= nNumElemVert;
+ }
+ if (bImport)
{
- sal_Int32 nX, nY;
- sal_Int16 nTmpA, nTmpB;
aCoordinates.realloc( nNumElemVert );
- for ( sal_uInt16 i = 0; i < nNumElemVert; i++ )
+ for (sal_uInt16 i = 0; i < nNumElemVert; ++i)
{
+ sal_Int32 nX(0), nY(0);
+
if ( nElemSizeVert == 8 )
{
rIn.ReadInt32( nX )
@@ -2167,6 +2173,7 @@ void
DffPropertyReader::ApplyCustomShapeGeometryAttributes( SvStream& rIn, SfxIt
}
else
{
+ sal_Int16 nTmpA(0), nTmpB(0);
rIn.ReadInt16( nTmpA )
.ReadInt16( nTmpB );
commit 71b87e381bc8cbab588cf4194c2b290b0531d5b4
Author: Caolán McNamara <caol...@redhat.com>
Date: Mon Feb 2 10:00:53 2015 +0000
coverity#1242531 Untrusted value as argument
Change-Id: I86e872251f7b8b0818a91c4a133f363e76be5f34
diff --git a/tools/source/generic/poly.cxx b/tools/source/generic/poly.cxx
index f104a33..e4153b9 100644
--- a/tools/source/generic/poly.cxx
+++ b/tools/source/generic/poly.cxx
@@ -1540,6 +1540,14 @@ SvStream& ReadPolygon( SvStream& rIStream, Polygon&
rPoly )
// read all points and create array
rIStream.ReadUInt16( nPoints );
+
+ const size_t nMaxRecordsPossible = rIStream.remainingSize() / (2 *
sizeof(sal_Int32));
+ if (nPoints > nMaxRecordsPossible)
+ {
+ SAL_WARN("tools", "Polygon claims " << nPoints << " records, but only
" << nMaxRecordsPossible << " possible");
+ nPoints = nMaxRecordsPossible;
+ }
+
if ( rPoly.mpImplPolygon->mnRefCount != 1 )
{
if ( rPoly.mpImplPolygon->mnRefCount )
@@ -1551,12 +1559,6 @@ SvStream& ReadPolygon( SvStream& rIStream, Polygon&
rPoly )
{
// Determine whether we need to write through operators
- const size_t nMaxRecordsPossible = rIStream.remainingSize() / (2 *
sizeof(sal_Int32));
- if (nPoints > nMaxRecordsPossible)
- {
- SAL_WARN("tools", "Polygon claims " << nPoints << " records, but
only " << nMaxRecordsPossible << " possible");
- nPoints = nMaxRecordsPossible;
- }
#if (SAL_TYPES_SIZEOFLONG) == 4
#ifdef OSL_BIGENDIAN
if ( rIStream.GetEndian() == SvStreamEndian::BIG )
commit cbe24d8988b41338d0c712e86ec18f7e3f1f86d8
Author: Caolán McNamara <caol...@redhat.com>
Date: Mon Feb 2 09:58:15 2015 +0000
coverity#736943 Untrusted loop bound
Change-Id: I18a19770f7bb328b889b8da1fb73d20bc1ca9064
diff --git a/vcl/generic/fontmanager/fontmanager.cxx
b/vcl/generic/fontmanager/fontmanager.cxx
index cf74934..c98ccc5 100644
--- a/vcl/generic/fontmanager/fontmanager.cxx
+++ b/vcl/generic/fontmanager/fontmanager.cxx
@@ -832,7 +832,7 @@ bool PrintFontManager::analyzeFontFile( int nDirID, const
OString& rFontFile, ::
{
// get number of ttc entries
int nLength = CountTTCFonts( aFullPath.getStr() );
- if( nLength )
+ if (nLength > 0)
{
#if OSL_DEBUG_LEVEL > 1
fprintf( stderr, "ttc: %s contains %d fonts\n",
aFullPath.getStr(), nLength );
commit d162d0556ecce5b9f7c561a9ba1b88fd5d8c2b0a
Author: Caolán McNamara <caol...@redhat.com>
Date: Mon Feb 2 09:54:54 2015 +0000
coverity#1266460 Argument cannot be negative
Change-Id: I715b27b507926e2670cc094d4ebaa429e502232c
diff --git a/svtools/source/dialogs/roadmapwizard.cxx
b/svtools/source/dialogs/roadmapwizard.cxx
index 8a6587e..64126d7 100644
--- a/svtools/source/dialogs/roadmapwizard.cxx
+++ b/svtools/source/dialogs/roadmapwizard.cxx
@@ -272,6 +272,8 @@ namespace svt
const WizardPath& rActivePath( m_pImpl->aPaths[ m_pImpl->nActivePath ]
);
sal_Int32 nCurrentStatePathIndex = m_pImpl->getStateIndexInPath(
getCurrentState(), rActivePath );
+ if (nCurrentStatePathIndex < 0)
+ return;
// determine up to which index (in the new path) we have to display
the items
RoadmapTypes::ItemIndex nUpperStepBoundary =
(RoadmapTypes::ItemIndex)rActivePath.size();
@@ -332,7 +334,7 @@ namespace svt
// there is an item with this index in the roadmap - does
it match what is requested by
// the respective state in the active path?
RoadmapTypes::ItemId nPresentItemId =
m_pImpl->pRoadmap->GetItemID( nItemIndex );
- WizardState nRequiredState = rActivePath.at(nItemIndex);
+ WizardState nRequiredState = rActivePath[ nItemIndex ];
if ( nPresentItemId != nRequiredState )
{
m_pImpl->pRoadmap->DeleteRoadmapItem( nItemIndex );
@@ -346,7 +348,7 @@ namespace svt
bInsertItem = bNeedItem;
}
- WizardState nState(rActivePath.at(nItemIndex));
+ WizardState nState( rActivePath[ nItemIndex ] );
if ( bInsertItem )
{
m_pImpl->pRoadmap->InsertRoadmapItem(
@@ -595,6 +597,8 @@ namespace svt
sal_Int32 nCurrentStatePathIndex = -1;
if ( m_pImpl->nActivePath != -1 )
nCurrentStatePathIndex = m_pImpl->getStateIndexInPath(
getCurrentState(), m_pImpl->nActivePath );
+ if (nCurrentStatePathIndex < 0)
+ return;
for ( RoadmapTypes::ItemIndex nItemIndex = nCurrentStatePathIndex;
nItemIndex < nLoopUntil; ++nItemIndex )
{
bool bExistentItem = ( nItemIndex <
m_pImpl->pRoadmap->GetItemCount() );
@@ -603,7 +607,7 @@ namespace svt
// there is an item with this index in the roadmap - does it
match what is requested by
// the respective state in the active path?
RoadmapTypes::ItemId nPresentItemId =
m_pImpl->pRoadmap->GetItemID( nItemIndex );
- WizardState nRequiredState = rActivePath.at(nItemIndex);
+ WizardState nRequiredState = rActivePath[ nItemIndex ];
if ( _nState == nRequiredState )
{
m_pImpl->pRoadmap->ChangeRoadmapItemLabel( nPresentItemId,
getStateDisplayName( nRequiredState ) );
commit d67a370f7bd9efffe564b98f80ad3cd039490a47
Author: Caolán McNamara <caol...@redhat.com>
Date: Mon Feb 2 09:50:57 2015 +0000
coverity#1267656 Logically dead code
Change-Id: I37c59a0bc2d7a62535f4f4951f8378c291f2affa
diff --git a/connectivity/source/drivers/evoab2/NStatement.cxx
b/connectivity/source/drivers/evoab2/NStatement.cxx
index 6436af4..546384a 100644
--- a/connectivity/source/drivers/evoab2/NStatement.cxx
+++ b/connectivity/source/drivers/evoab2/NStatement.cxx
@@ -393,9 +393,6 @@ EBookQuery *OCommonStatement::whereAnalysis( const
OSQLParseNode* parseTree )
pResult = createTest( aColumnName, E_BOOK_QUERY_BEGINS_WITH,
aMatchString.copy( 0, aMatchString.getLength() - 1 ) );
else
m_pConnection->throwGenericSQLException(STR_QUERY_LIKE_WILDCARD,*this);
-
- if( pResult && bNotLike )
- pResult = e_book_query_not( pResult, TRUE );
}
else if( aMatchString.getLength() >= 3 &&
aMatchString.startsWith( OUString(WILDCARD) ) &&
commit 608bca82869c739ee4522954c27856782166647b
Author: Caolán McNamara <caol...@redhat.com>
Date: Mon Feb 2 09:48:47 2015 +0000
coverity#735323 Unchecked return value
Change-Id: I907b2fb0024b104cc008cbf4c75f30513c7eb57d
diff --git a/sd/source/filter/eppt/eppt.cxx b/sd/source/filter/eppt/eppt.cxx
index c40de34..cf068f3 100644
--- a/sd/source/filter/eppt/eppt.cxx
+++ b/sd/source/filter/eppt/eppt.cxx
@@ -394,9 +394,9 @@ void PPTWriter::ImplWriteSlideMaster( sal_uInt32 nPageNum,
Reference< XPropertyS
// the auto color is dependent to the page background,so we have to
set a page that is in the right context
if ( nInstance == EPP_TEXTTYPE_Notes )
- GetPageByIndex( 0, NOTICE );
+ (void)GetPageByIndex(0, NOTICE);
else
- GetPageByIndex( 0, MASTER );
+ (void)GetPageByIndex(0, MASTER);
mpPptEscherEx->BeginAtom();
_______________________________________________
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/libreoffice-commits
